Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 19:44
Behavioral task
behavioral1
Sample
1126085785f71201baecdcf699af82ca66d7220a4cad89a7be9158eb3883268a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1126085785f71201baecdcf699af82ca66d7220a4cad89a7be9158eb3883268a.exe
-
Size
332KB
-
MD5
1524c7123eb53fe802c10383c06094a7
-
SHA1
333438f0d802c55d9b613e79472115f82cf399a0
-
SHA256
1126085785f71201baecdcf699af82ca66d7220a4cad89a7be9158eb3883268a
-
SHA512
a3b4b55161b0835626e3323974c7485327effde4b3c8fa481f5554f04d7a5735157c03d165d9288771dcf8c262d3628a7effeab75c4ec106ddba1bf7722170f8
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbe4:R4wFHoSHYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5008-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1884-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1040-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1076-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1960-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3152-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2556-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3500-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1224-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/312-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3896-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/32-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/908-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3812-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1708-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1800-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1188-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2996-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2520-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1988-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1824-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/368-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2876-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3500-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2660-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4124-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/908-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1956-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1336-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/372-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4068-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2816-464-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-513-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/536-544-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-579-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3040-634-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-770-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1884-841-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2500-1314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-1373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5076 nhtnhn.exe 1884 xllfxxr.exe 1960 xxfxlfl.exe 1040 nntnhn.exe 1076 dpdpp.exe 5080 rlrrllr.exe 3692 rllfxxl.exe 1604 nhbthb.exe 3152 rxfxrlf.exe 1616 lrxrllf.exe 3116 1ddvj.exe 3224 xrxxxrl.exe 4840 nbnnnn.exe 864 vvpjp.exe 2556 thtnhb.exe 3500 7vddv.exe 3544 lxxxrlf.exe 1224 jjdjp.exe 3896 7dvpj.exe 4904 rlrfrlf.exe 2780 nhtntn.exe 312 3pvjd.exe 1432 xxxlffx.exe 2192 7pjdp.exe 2380 rfrffxf.exe 2600 9jjdv.exe 32 1ffxlfr.exe 908 btbnnh.exe 4088 bttbtn.exe 2936 9vvpj.exe 2316 5dddv.exe 3812 ffxrrlf.exe 3420 9vjdv.exe 1476 9xfxrrl.exe 2368 hbnnhn.exe 1708 hntnbb.exe 3532 jjpdv.exe 1800 frlrllf.exe 5116 htbthb.exe 4832 xlrfxxr.exe 1188 3ffxrfx.exe 3104 1jpjj.exe 228 5rfxrrf.exe 2692 3nhbnn.exe 4416 3ntttn.exe 2996 7ppdp.exe 4500 lxfxlxf.exe 2520 tbbtnh.exe 1988 fffrlfx.exe 428 bbhnhb.exe 3124 1vdvv.exe 1824 xllxrlf.exe 4680 dvpvj.exe 2544 dvpjj.exe 5076 xlrrlrl.exe 2360 7tbtnt.exe 2552 jddvp.exe 2068 jvjdj.exe 1112 lfxrxxr.exe 368 fxfxrxx.exe 236 htbttt.exe 1172 9ddvp.exe 3692 lxfxxrf.exe 3316 rrfxrrf.exe -
resource yara_rule behavioral2/memory/5008-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bab-3.dat upx behavioral2/memory/5008-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9f-9.dat upx behavioral2/memory/5076-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1884-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-10.dat upx behavioral2/memory/1040-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1076-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-25.dat upx behavioral2/files/0x0007000000023ca6-29.dat upx behavioral2/memory/5080-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-19.dat upx behavioral2/memory/1960-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-34.dat upx behavioral2/files/0x0007000000023ca8-38.dat upx behavioral2/memory/3692-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-44.dat upx behavioral2/memory/1604-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-48.dat upx behavioral2/memory/3152-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-53.dat upx behavioral2/memory/1616-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-58.dat upx behavioral2/files/0x0007000000023cae-62.dat upx behavioral2/files/0x0007000000023caf-67.dat upx behavioral2/memory/864-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4840-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-73.dat upx behavioral2/memory/2556-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-76.dat upx behavioral2/memory/3500-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-82.dat upx behavioral2/files/0x0008000000023ca0-86.dat upx behavioral2/files/0x0007000000023cb4-93.dat upx behavioral2/memory/1224-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-106.dat upx behavioral2/memory/312-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-103.dat upx behavioral2/files/0x0007000000023cb8-111.dat upx behavioral2/memory/1432-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-116.dat upx behavioral2/memory/2192-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-122.dat upx behavioral2/memory/2380-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4904-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-97.dat upx behavioral2/memory/3896-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3544-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-127.dat upx behavioral2/memory/2380-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-131.dat upx behavioral2/memory/32-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2600-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-137.dat upx behavioral2/files/0x0007000000023cbe-141.dat upx behavioral2/memory/908-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-146.dat upx behavioral2/files/0x0007000000023cc0-151.dat upx behavioral2/files/0x0007000000023cc1-154.dat upx behavioral2/memory/3812-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3420-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1476-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1708-169-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5008 wrote to memory of 5076 5008 1126085785f71201baecdcf699af82ca66d7220a4cad89a7be9158eb3883268a.exe 84 PID 5008 wrote to memory of 5076 5008 1126085785f71201baecdcf699af82ca66d7220a4cad89a7be9158eb3883268a.exe 84 PID 5008 wrote to memory of 5076 5008 1126085785f71201baecdcf699af82ca66d7220a4cad89a7be9158eb3883268a.exe 84 PID 5076 wrote to memory of 1884 5076 nhtnhn.exe 85 PID 5076 wrote to memory of 1884 5076 nhtnhn.exe 85 PID 5076 wrote to memory of 1884 5076 nhtnhn.exe 85 PID 1884 wrote to memory of 1960 1884 xllfxxr.exe 86 PID 1884 wrote to memory of 1960 1884 xllfxxr.exe 86 PID 1884 wrote to memory of 1960 1884 xllfxxr.exe 86 PID 1960 wrote to memory of 1040 1960 xxfxlfl.exe 87 PID 1960 wrote to memory of 1040 1960 xxfxlfl.exe 87 PID 1960 wrote to memory of 1040 1960 xxfxlfl.exe 87 PID 1040 wrote to memory of 1076 1040 nntnhn.exe 88 PID 1040 wrote to memory of 1076 1040 nntnhn.exe 88 PID 1040 wrote to memory of 1076 1040 nntnhn.exe 88 PID 1076 wrote to memory of 5080 1076 dpdpp.exe 89 PID 1076 wrote to memory of 5080 1076 dpdpp.exe 89 PID 1076 wrote to memory of 5080 1076 dpdpp.exe 89 PID 5080 wrote to memory of 3692 5080 rlrrllr.exe 90 PID 5080 wrote to memory of 3692 5080 rlrrllr.exe 90 PID 5080 wrote to memory of 3692 5080 rlrrllr.exe 90 PID 3692 wrote to memory of 1604 3692 rllfxxl.exe 91 PID 3692 wrote to memory of 1604 3692 rllfxxl.exe 91 PID 3692 wrote to memory of 1604 3692 rllfxxl.exe 91 PID 1604 wrote to memory of 3152 1604 nhbthb.exe 92 PID 1604 wrote to memory of 3152 1604 nhbthb.exe 92 PID 1604 wrote to memory of 3152 1604 nhbthb.exe 92 PID 3152 wrote to memory of 1616 3152 rxfxrlf.exe 93 PID 3152 wrote to memory of 1616 3152 rxfxrlf.exe 93 PID 3152 wrote to memory of 1616 3152 rxfxrlf.exe 93 PID 1616 wrote to memory of 3116 1616 lrxrllf.exe 94 PID 1616 wrote to memory of 3116 1616 lrxrllf.exe 94 PID 1616 wrote to memory of 3116 1616 lrxrllf.exe 94 PID 3116 wrote to memory of 3224 3116 1ddvj.exe 95 PID 3116 wrote to memory of 3224 3116 1ddvj.exe 95 PID 3116 wrote to memory of 3224 3116 1ddvj.exe 95 PID 3224 wrote to memory of 4840 3224 xrxxxrl.exe 96 PID 3224 wrote to memory of 4840 3224 xrxxxrl.exe 96 PID 3224 wrote to memory of 4840 3224 xrxxxrl.exe 96 PID 4840 wrote to memory of 864 4840 nbnnnn.exe 97 PID 4840 wrote to memory of 864 4840 nbnnnn.exe 97 PID 4840 wrote to memory of 864 4840 nbnnnn.exe 97 PID 864 wrote to memory of 2556 864 vvpjp.exe 98 PID 864 wrote to memory of 2556 864 vvpjp.exe 98 PID 864 wrote to memory of 2556 864 vvpjp.exe 98 PID 2556 wrote to memory of 3500 2556 thtnhb.exe 99 PID 2556 wrote to memory of 3500 2556 thtnhb.exe 99 PID 2556 wrote to memory of 3500 2556 thtnhb.exe 99 PID 3500 wrote to memory of 3544 3500 7vddv.exe 100 PID 3500 wrote to memory of 3544 3500 7vddv.exe 100 PID 3500 wrote to memory of 3544 3500 7vddv.exe 100 PID 3544 wrote to memory of 1224 3544 lxxxrlf.exe 101 PID 3544 wrote to memory of 1224 3544 lxxxrlf.exe 101 PID 3544 wrote to memory of 1224 3544 lxxxrlf.exe 101 PID 1224 wrote to memory of 3896 1224 jjdjp.exe 102 PID 1224 wrote to memory of 3896 1224 jjdjp.exe 102 PID 1224 wrote to memory of 3896 1224 jjdjp.exe 102 PID 3896 wrote to memory of 4904 3896 7dvpj.exe 103 PID 3896 wrote to memory of 4904 3896 7dvpj.exe 103 PID 3896 wrote to memory of 4904 3896 7dvpj.exe 103 PID 4904 wrote to memory of 2780 4904 rlrfrlf.exe 104 PID 4904 wrote to memory of 2780 4904 rlrfrlf.exe 104 PID 4904 wrote to memory of 2780 4904 rlrfrlf.exe 104 PID 2780 wrote to memory of 312 2780 nhtntn.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\1126085785f71201baecdcf699af82ca66d7220a4cad89a7be9158eb3883268a.exe"C:\Users\Admin\AppData\Local\Temp\1126085785f71201baecdcf699af82ca66d7220a4cad89a7be9158eb3883268a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\nhtnhn.exec:\nhtnhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\xllfxxr.exec:\xllfxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\xxfxlfl.exec:\xxfxlfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\nntnhn.exec:\nntnhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\dpdpp.exec:\dpdpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\rlrrllr.exec:\rlrrllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\rllfxxl.exec:\rllfxxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\nhbthb.exec:\nhbthb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\lrxrllf.exec:\lrxrllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\1ddvj.exec:\1ddvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\xrxxxrl.exec:\xrxxxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\nbnnnn.exec:\nbnnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\vvpjp.exec:\vvpjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\thtnhb.exec:\thtnhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\7vddv.exec:\7vddv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\lxxxrlf.exec:\lxxxrlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\jjdjp.exec:\jjdjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\7dvpj.exec:\7dvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\rlrfrlf.exec:\rlrfrlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\nhtntn.exec:\nhtntn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\3pvjd.exec:\3pvjd.exe23⤵
- Executes dropped EXE
PID:312 -
\??\c:\xxxlffx.exec:\xxxlffx.exe24⤵
- Executes dropped EXE
PID:1432 -
\??\c:\7pjdp.exec:\7pjdp.exe25⤵
- Executes dropped EXE
PID:2192 -
\??\c:\rfrffxf.exec:\rfrffxf.exe26⤵
- Executes dropped EXE
PID:2380 -
\??\c:\9jjdv.exec:\9jjdv.exe27⤵
- Executes dropped EXE
PID:2600 -
\??\c:\1ffxlfr.exec:\1ffxlfr.exe28⤵
- Executes dropped EXE
PID:32 -
\??\c:\btbnnh.exec:\btbnnh.exe29⤵
- Executes dropped EXE
PID:908 -
\??\c:\bttbtn.exec:\bttbtn.exe30⤵
- Executes dropped EXE
PID:4088 -
\??\c:\9vvpj.exec:\9vvpj.exe31⤵
- Executes dropped EXE
PID:2936 -
\??\c:\5dddv.exec:\5dddv.exe32⤵
- Executes dropped EXE
PID:2316 -
\??\c:\ffxrrlf.exec:\ffxrrlf.exe33⤵
- Executes dropped EXE
PID:3812 -
\??\c:\9vjdv.exec:\9vjdv.exe34⤵
- Executes dropped EXE
PID:3420 -
\??\c:\9xfxrrl.exec:\9xfxrrl.exe35⤵
- Executes dropped EXE
PID:1476 -
\??\c:\hbnnhn.exec:\hbnnhn.exe36⤵
- Executes dropped EXE
PID:2368 -
\??\c:\hntnbb.exec:\hntnbb.exe37⤵
- Executes dropped EXE
PID:1708 -
\??\c:\jjpdv.exec:\jjpdv.exe38⤵
- Executes dropped EXE
PID:3532 -
\??\c:\frlrllf.exec:\frlrllf.exe39⤵
- Executes dropped EXE
PID:1800 -
\??\c:\htbthb.exec:\htbthb.exe40⤵
- Executes dropped EXE
PID:5116 -
\??\c:\xlrfxxr.exec:\xlrfxxr.exe41⤵
- Executes dropped EXE
PID:4832 -
\??\c:\3ffxrfx.exec:\3ffxrfx.exe42⤵
- Executes dropped EXE
PID:1188 -
\??\c:\1jpjj.exec:\1jpjj.exe43⤵
- Executes dropped EXE
PID:3104 -
\??\c:\5rfxrrf.exec:\5rfxrrf.exe44⤵
- Executes dropped EXE
PID:228 -
\??\c:\3nhbnn.exec:\3nhbnn.exe45⤵
- Executes dropped EXE
PID:2692 -
\??\c:\3ntttn.exec:\3ntttn.exe46⤵
- Executes dropped EXE
PID:4416 -
\??\c:\7ppdp.exec:\7ppdp.exe47⤵
- Executes dropped EXE
PID:2996 -
\??\c:\lxfxlxf.exec:\lxfxlxf.exe48⤵
- Executes dropped EXE
PID:4500 -
\??\c:\tbbtnh.exec:\tbbtnh.exe49⤵
- Executes dropped EXE
PID:2520 -
\??\c:\fffrlfx.exec:\fffrlfx.exe50⤵
- Executes dropped EXE
PID:1988 -
\??\c:\bbhnhb.exec:\bbhnhb.exe51⤵
- Executes dropped EXE
PID:428 -
\??\c:\1vdvv.exec:\1vdvv.exe52⤵
- Executes dropped EXE
PID:3124 -
\??\c:\xllxrlf.exec:\xllxrlf.exe53⤵
- Executes dropped EXE
PID:1824 -
\??\c:\5ttbtt.exec:\5ttbtt.exe54⤵PID:4308
-
\??\c:\dvpvj.exec:\dvpvj.exe55⤵
- Executes dropped EXE
PID:4680 -
\??\c:\dvpjj.exec:\dvpjj.exe56⤵
- Executes dropped EXE
PID:2544 -
\??\c:\xlrrlrl.exec:\xlrrlrl.exe57⤵
- Executes dropped EXE
PID:5076 -
\??\c:\7tbtnt.exec:\7tbtnt.exe58⤵
- Executes dropped EXE
PID:2360 -
\??\c:\jddvp.exec:\jddvp.exe59⤵
- Executes dropped EXE
PID:2552 -
\??\c:\jvjdj.exec:\jvjdj.exe60⤵
- Executes dropped EXE
PID:2068 -
\??\c:\lfxrxxr.exec:\lfxrxxr.exe61⤵
- Executes dropped EXE
PID:1112 -
\??\c:\fxfxrxx.exec:\fxfxrxx.exe62⤵
- Executes dropped EXE
PID:368 -
\??\c:\htbttt.exec:\htbttt.exe63⤵
- Executes dropped EXE
PID:236 -
\??\c:\9ddvp.exec:\9ddvp.exe64⤵
- Executes dropped EXE
PID:1172 -
\??\c:\lxfxxrf.exec:\lxfxxrf.exe65⤵
- Executes dropped EXE
PID:3692 -
\??\c:\rrfxrrf.exec:\rrfxrrf.exe66⤵
- Executes dropped EXE
PID:3316 -
\??\c:\9nttnt.exec:\9nttnt.exe67⤵PID:4176
-
\??\c:\ppjdd.exec:\ppjdd.exe68⤵PID:2876
-
\??\c:\pjpjj.exec:\pjpjj.exe69⤵PID:3352
-
\??\c:\5flffff.exec:\5flffff.exe70⤵PID:3404
-
\??\c:\hbhhnn.exec:\hbhhnn.exe71⤵PID:4808
-
\??\c:\nhtttb.exec:\nhtttb.exe72⤵PID:3592
-
\??\c:\jpdvv.exec:\jpdvv.exe73⤵PID:2500
-
\??\c:\rffrllf.exec:\rffrllf.exe74⤵PID:2216
-
\??\c:\rlrrrrl.exec:\rlrrrrl.exe75⤵PID:4900
-
\??\c:\thbttt.exec:\thbttt.exe76⤵PID:2280
-
\??\c:\jjvvd.exec:\jjvvd.exe77⤵PID:4992
-
\??\c:\9vddv.exec:\9vddv.exe78⤵PID:3500
-
\??\c:\5xffxxx.exec:\5xffxxx.exe79⤵PID:2832
-
\??\c:\btnnhh.exec:\btnnhh.exe80⤵PID:3572
-
\??\c:\jdjdv.exec:\jdjdv.exe81⤵PID:3292
-
\??\c:\7rrlffx.exec:\7rrlffx.exe82⤵PID:2660
-
\??\c:\xrrrrll.exec:\xrrrrll.exe83⤵PID:4372
-
\??\c:\5nthbb.exec:\5nthbb.exe84⤵PID:3004
-
\??\c:\3djdv.exec:\3djdv.exe85⤵PID:4632
-
\??\c:\vvvpj.exec:\vvvpj.exe86⤵PID:536
-
\??\c:\7fflxxr.exec:\7fflxxr.exe87⤵PID:4920
-
\??\c:\nnbthh.exec:\nnbthh.exe88⤵PID:4124
-
\??\c:\vvpdj.exec:\vvpdj.exe89⤵PID:4536
-
\??\c:\rlxxlfr.exec:\rlxxlfr.exe90⤵
- System Location Discovery: System Language Discovery
PID:3172 -
\??\c:\1lrlxxr.exec:\1lrlxxr.exe91⤵PID:4940
-
\??\c:\bnnnbb.exec:\bnnnbb.exe92⤵PID:3304
-
\??\c:\dvpjd.exec:\dvpjd.exe93⤵PID:3248
-
\??\c:\pdpdv.exec:\pdpdv.exe94⤵PID:584
-
\??\c:\rxfxrfx.exec:\rxfxrfx.exe95⤵PID:908
-
\??\c:\nbhbtt.exec:\nbhbtt.exe96⤵PID:4072
-
\??\c:\9tnhbb.exec:\9tnhbb.exe97⤵PID:216
-
\??\c:\vjvpj.exec:\vjvpj.exe98⤵PID:5012
-
\??\c:\1rxrlfx.exec:\1rxrlfx.exe99⤵PID:3464
-
\??\c:\3llffll.exec:\3llffll.exe100⤵PID:4916
-
\??\c:\7bhnnn.exec:\7bhnnn.exe101⤵PID:2892
-
\??\c:\jddvv.exec:\jddvv.exe102⤵PID:3400
-
\??\c:\9vddv.exec:\9vddv.exe103⤵PID:4908
-
\??\c:\3fxrrrx.exec:\3fxrrrx.exe104⤵PID:1164
-
\??\c:\nntntn.exec:\nntntn.exe105⤵PID:2800
-
\??\c:\vdjdv.exec:\vdjdv.exe106⤵PID:1512
-
\??\c:\djddj.exec:\djddj.exe107⤵PID:1956
-
\??\c:\lxrlfff.exec:\lxrlfff.exe108⤵PID:776
-
\??\c:\hbhbtn.exec:\hbhbtn.exe109⤵PID:4776
-
\??\c:\ffxrlfr.exec:\ffxrlfr.exe110⤵PID:1132
-
\??\c:\fffrrff.exec:\fffrrff.exe111⤵PID:1772
-
\??\c:\7ttnhh.exec:\7ttnhh.exe112⤵PID:224
-
\??\c:\pdpjd.exec:\pdpjd.exe113⤵PID:3124
-
\??\c:\lrlfxxr.exec:\lrlfxxr.exe114⤵PID:3516
-
\??\c:\fffxlff.exec:\fffxlff.exe115⤵PID:5008
-
\??\c:\5hnhnh.exec:\5hnhnh.exe116⤵PID:4376
-
\??\c:\ppjjd.exec:\ppjjd.exe117⤵PID:2012
-
\??\c:\xlrrllf.exec:\xlrrllf.exe118⤵PID:1820
-
\??\c:\frlxxrr.exec:\frlxxrr.exe119⤵PID:4848
-
\??\c:\bbtnbh.exec:\bbtnbh.exe120⤵PID:1076
-
\??\c:\9jjdp.exec:\9jjdp.exe121⤵PID:2068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-